How to set up CCISSL with CA Output Management Web Viewer 12.1

Document ID : KB000032444
Last Modified Date : 22/06/2018
Show Technical Document Details

How to use TLSV1.2 to Secure the Connection between the Web Viewer Server and CCI.





1. The Common Services CCI Server task on the mainframe, (typically named CCISSL) must be configured to use SSL. These CCI Server task settings (symbolic parameters) are the main ones required:
  1. UNSECON Specifies communication security. It may be set to allow, or require SSL.
  2. PROT Security protocol used- TLS. 
  3. CLAUTH Specifies if client certificates used. This may be “N” (no) but if enabled, Web Viewer (CCI Client) will need a client certificate added to its KeyStore.
2. On the Web Viewer side, there are new parameters in the config tool to set. The connection test has been enhanced to feed back additional information about any errors.

   Web Viewer ships with a sample KeyStore file that contains the same sample certificate delivered with CCI on the mainframe. This sample certificate cci.jks is in this directory:
           C:\Program Files\CA\CA_OM_Web_Viewer\apache-tomcat-8.5.32\webapps\CAOMWebViewer12\config  or 
    Modify the path if needed for your environment. You should point to this location when running the configtool.  You can only use this sample certificate if you are using the sample certificates on the mainframe.

After running the configtool, you will need to recycle the Web Application Server.

You can verify that SSL is being used by reviewing the CCI Server task’s JESMSGLG. Look for messages similar to:

CAS9855I Task 0002 has TLSV1.2 session with yyyyyyyy(::ffff:
CAS9855I Task 0002 and PC using 128-bit AES_CBC, SHA-1, RSA ("002F")

If you choose to use a Keystore, the Web Viewer CCI Client interface only uses a Java KeyStore repository file. This is different from what CCI Server supports, but both contain the Trusted Certificate and (optional) Client End User certificate.

It is your responsibility to create a KeyStore file if you are using your own certificates. 

The Keytool supports these two certificate formats:
- Trusted Certificate: Base64 encoded certificate file containing the CCI server’s public key in X.509 
format. Typically, a PEM file.
- Client End User Certificate: A certificate file in PKCS#12 format, containing the public and private key 
in X.509 format. The private key will be password protected


Additional Information:

The Web Viewer documentation includes a topic for creating the KeyStore using the JRE keytool utility program - Create Keystore Files for CAICCI with TLS.

Build 85 or higher - RO78064 DRAS UNAVAILABLE ERROR WITH SSL BUILD 78 FOR SOCKET CLOSURE is required to use CCISSL.  Always apply the latest apar available for Web Viewer 12.1 if possible.  Apars are cumulative including all prior maintenance. Please see KB000011474 How to locate the latest build (maintenance) for CA Output Management Web Viewer 12.1? 

Also refer to Common Services KB000055371 CAICCI-SSL and External Security